Thank You

Privacy Policy

Overview

Overview

Medallia Experience Cloud Notice

Website Notice

Recruitment Notice

Cookies Notice

California Consumer Privacy Act Notice

Overview

Last Reviewed and Updated April 6, 2020

At Medallia, we want to provide you with information about the collection and use of your personal data. The following privacy notices explain the different ways your personal data is collected and used, and how you can exercise your preferences.

For additional privacy inquiries

If you have questions about our privacy practices, you can contact us by emailing [email protected], or by writing to us at:

Privacy, Medallia, Inc.

575 Market Street Suite 1850, San Francisco, CA 94105

Privacy, Medallia Limited

5th Floor 80 Cheapside London EC2V 6EE

Medallia Experience Cloud Notice

Effective Date: April 6, 2020 - Last Reviewed and Updated April 6, 2020

Introduction

This notice addresses the data Medallia collects to provide our SaaS platform and services to our clients. Clients use this platform to collect customer feedback through different channels, including surveys and integrations with other platforms. Medallia also provides reporting applications that allow our clients to view and analyze the collected feedback.

In our privacy notice, we use the following terms:

“Medallia Experience Cloud” refers to the SaaS platforms and related online services (such as CSM tools), as well as the accompanying professional services we provide to our clients.

“CSM Tools” refers to the customer success analytics platforms, such as Strikedeck, that we offer via a SaaS model.

“customer” refers to an individual who has had an interaction with a Medallia client and whose feedback is collected through the Medallia Experience Cloud. Customer interactions can span a wide variety, and include purchasing goods or services, contacting customer support, checking in to a hotel or property, and visiting a client’s web page or using its mobile app.

“respondent” refers to an individual who is prompted to provide feedback to one of Medallia’s clients through the Medallia Experience Cloud.

What Data We Collect and How We Collect It

Medallia’s and our Clients’ Roles in Data Collection. In providing the Medallia Experience Cloud to our clients, Medallia collects data only according to our clients’ instructions. Our clients specify what customers we should contact to provide feedback, when we should contact them (for example, after completing a purchase at a client’s retail store), how we should contact them (for example, email or SMS), how often we should send them reminders to provide feedback, and what questions are asked. Medallia’s clients also decide whether to use inbound or outbound data integrations, and how to use or respond to feedback that is collected.

Medallia enters into agreements with our clients that legally obligate Medallia to protect data we receive or are directed to collect, and use it only to provide the products and services specified by the client. Under many data protection laws, including those in Europe, Medallia is considered a “data processor” to our clients, and our clients are considered “data controllers.” As data controllers, Medallia clients are responsible for complying with laws that may require notice, disclosure or consent related to the transfer of data to Medallia or its use in the Medallia Experience Cloud.

For more information on the types of data collected by a particular Medallia client, refer to the privacy notice or communications of the Medallia client. Our clients’ privacy notices are commonly located in the Medallia survey invitation (for web-based surveys) or on the client’s web site or mobile application (for digital surveys).

Legal Basis for Processing. Medallia clients provide instructions with regard to the upload, collection, transfer, and access of personal data in the Medallia Experience Cloud. As such, Medallia clients determine the legal basis they have for data processing. Medallia clients can use legitimate interest or consent as a legal basis for processing personal data in the Medallia Experience Cloud, although others may apply. For more information, refer to the privacy notice or communications of the Medallia client.

Identity of the Data Controller. As data controllers, Medallia clients are responsible for identifying themselves, where appropriate, in communications sent by the Medallia Experience Cloud. For example, Medallia survey invitations sent by email or SMS should identify the name of the Medallia client who directs us to conduct the survey. If you are having trouble identifying the data controller associated with a particular Medallia survey, please contact Medallia survey support here.

Web-based Surveys and Chat Communications. In web-based surveys offered by the Medallia Experience Cloud, customers or employees receive a survey invitation and respond to the survey in a web interface. In addition, with the Medallia Experience Cloud’s chat communication products, clients can communicate with their customers through SMS or popular messaging applications. To send survey invitations or chat communications Medallia clients can, for example, provide the Medallia Experience Cloud with customer names, email addresses, mobile phone numbers, social messaging handle, and information about the customers’ interactions with their business (e.g., the name of the client’s store where the customer shopped or the hotel at which they are staying). In addition, Medallia clients can provide the Medallia Experience Cloud with information that segments customers into groups, such as the type of account the customer holds, the type of product or service purchased, or whether the customer is enrolled in a loyalty program.

When a respondent navigates to a Medallia web-based survey or a chat communication, Medallia collects the respondent’s IP address, the date and time the respondent accessed the survey, survey or chat responses (typically numerical scores and narrative text responses), how far the user has navigated in the survey, and the type of device and web browser the customer used to access the survey. In some surveys, clients also direct Medallia to collect the geographical location of the customer’s device that is used to access the survey.

Digital Surveys. Clients can use the Medallia Experience Cloud’s digital feedback capture tools to prompt their customers to respond to a survey within the client’s digital channels, such as a web page or mobile application. Clients can configure these surveys to:

prompt customers for information such as name, email, a survey score, and a narrative text response to a prompt;

collect customer ID (such as the login name or email the customer uses to access the client’s web site or mobile application); and

allow customers to take a screenshot that captures portions of the client’s web page or mobile application.

Integrations. Clients can integrate other tools, processes or platforms as inbound sources of data for the Medallia Experience Cloud, such as CRM platforms or marketing tools. For CSM Tools, Clients can integrate other tools, processes, or platforms via pre-built or custom-built data connectors. For example, data may be pulled into CSM Tools from analytics platforms, app monitoring platforms, client databases, or data warehouses. Medallia clients control what data is stored in the Medallia Experience Cloud from these integrations. For more information, refer to the privacy notice or the communications of the Medallia client.

Clients can also configure the Medallia Experience Cloud as an outbound source of data for other tools, processes, or platforms, such as collaboration tools. Clients and any third parties associated with those tools, processes, or platforms are responsible for managing personal data outside the Medallia Experience Cloud. For example, clients can configure surveys to prompt customers to write reviews on third-party websites. If a customer chooses to submit a review for publication on that third-party site, any information the customer provides on that site is governed by the privacy notice or communications of that site.

Medallia Reporting Applications. Medallia provides clients web-based and mobile applications that are used by employees of Medallia clients to review and analyze customer feedback and other data collected in the Medallia Experience Cloud (referred to as “reporting applications” in this notice). To provide their employees access to these applications, clients may send Medallia employee names, identifiers (e.g., an employee ID), job title or function, and the store or business location they are associated with.

When an employee accesses a Medallia reporting application, Medallia collects the employee’s user name, IP address of the device used to access the reporting application, geographic area associated with the IP address, type of web browser and mobile device, time and date that the reporting application was accessed, and areas of the reporting application that were visited.

Social Media Features and Widgets. Clients can configure surveys to include social media features, such as the Facebook Like button and widgets, such as the “share this” button. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. Your interactions with these features are governed by the privacy notice or privacy-specific communications of the company providing them.

CSM Tools. Our CSM Tools, such as the Strikedeck platform, can be used by employees of Medallia clients to review and analyze customer feedback data as well as customer success data to track customer interactions, satisfaction levels, and product usage. Clients may also send surveys, alerts or other email communications directly from the CSM Tools. Medallia clients may also use data connectors to directly pull in information about their customers’ interactions with their business. In addition, clients can provide the CSM Tools with information that segments customers into groups, such as the type of account the customer holds or usage behavior, or on an individual level, such as by contact type.

Information Medallia Does Not Collect. Unless configured by a client to do so, the Medallia Experience Cloud does not collect sensitive data, such as credit card numbers or government identification numbers, nor does it collect information defined as “sensitive personal data” under EU law, such as race, sexual orientation, or union membership.

How Personal Data is Used

By Medallia and Partners. Medallia uses personal data gathered in the Medallia Experience Cloud to provide the SaaS platform and services for which the client has engaged Medallia.

These uses can include contacting a client’s customers to provide feedback for web-based and digital surveys, providing gathered feedback and assisting the customer in managing data in the Medallia Experience Cloud, and analyzing the data gathered to improve the client’s business.

Medallia Clients. Medallia clients can use personal data collected in the Medallia Experience Cloud to improve their customers’ experiences with their business. Clients can use Medallia’s reporting applications to provide customer feedback to their front line employees, as well as managers and executives. Clients can also perform analysis in customer feedback to prioritize and make operational changes to their business, and use personal data gathered in the Medallia Experience Cloud to send follow-up communications to customers.

Who Accesses Personal Data

Medallia Professional Services and Support. When a Medallia client engages Medallia’s professional services teams, Medallia professional services employees in Medallia’s Group Companies can access personal data of that client to perform work associated with tasks described above. If there is a support request, troubleshooting issue, or technical error (e.g., bug or product malfunction) that requires access to personal data, Medallia support and engineering staff in the Group Companies who are needed to address the issue will access that data.

Access to personal data stored in the Medallia Experience Cloud is provided using systems, procedures and controls approved by Medallia’s security team. Access is provided only as long as needed to perform the necessary work.

Third Party Professional Services, Servicing and Support. If permitted by a client, Medallia can use third parties to provide support for respondents and individuals who use the Medallia Experience Cloud. Medallia clients can also provide access to the Medallia Experience Cloud to third party partners to perform systems integration, consulting, market research or servicing. For examples of Medallia’s professional services partners, see https://www.medallia.com/partners/.

Medallia Clients. Medallia clients can provide their employees access to the Medallia Experience Cloud so that they can view and analyze gathered feedback. For more information, please contact the appropriate Medallia client.

Third-Party Technology Providers. Medallia transfers personal data as needed to vendors who provide our help desk ticketing software, support our technical operations (including vendors who assist us with web and mobile visitor analytics and SaaS event logging), assist with data transmission (including content delivery networks), and provide data storage. Depending on the technology integrations or features chosen by a Medallia client, we also transfer personal data of our client’s customers and respondents as needed to provide the integrations or features (including, for example, interactive voice response, SMS, machine translation, or screen capture features).

Third parties that are provided access to personal data in the Medallia Experience Cloud are evaluated by Medallia’s vendor risk management program and agree to appropriate security and data processing agreements with them.

Security.

Medallia maintains a comprehensive security program with appropriate organizational and technical security practices measures to protect data stored in the Medallia Experience Cloud. For more details, visit https://www.medallia.com/security/.

Storage Period.

The data of a Medallia client is retained in the Medallia Experience Cloud until the termination of the client’s subscription, unless earlier deleted or modified per the client’s request.

Data Subject Rights.

The Medallia Experience Cloud provides clients tools and processes for data modification, export, or deletion to address the needs of individuals in the EEA, or in other jurisdictions that provide individuals similar rights. If you are a individual who wants to modify, access, or delete personal data associated with you in the Medallia Experience Cloud, please contact the appropriate Medallia client.

Opt Out and Withdrawal of Consent.

Medallia offers its clients opt-out mechanisms to include in communications to individuals. Individuals who exercise an opt-out mechanism will be opted out of further communications for the relevant client for that communication channel.

International Data Transfer and Adequacy Laws

Personal data of data subjects can be processed by Medallia Group Companies or third parties in countries that have data protection laws different from those applicable to the data subjects. To satisfy adequacy requirements related to this international data transfer (such as those in the EEA):

Medallia signs data processing agreements with our vendors and clients that have robust privacy and security terms, including, where appropriate, the Standard Contractual Clauses. If you are a Medallia client and would like to obtain a copy of our data processing agreement, contact your Medallia engagement representative.

Disclosure of Data for Legal Obligations.

Medallia will provide data discussed in this notice to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend Medallia’s legal rights, or (iiii) to protect the vital interests of our clients and their employees, customers and respondents, or those of any other person. When requested by legal authorities to disclose personal information, Medallia will inform the court of various factors justifying confidentiality and customer or respondent anonymity. Medallia will communicate with the affected client or individual as soon as possible, unless prohibited by law or court order.

Disclosure of Data for Merger, Acquisition or Sale.

If Medallia is involved in a merger, acquisition or sale of all or a portion of its assets, Medallia may transfer data discussed in this notice to the buyer or new parent company. In this circumstance, the appropriate individuals will be notified about the change in ownership and use of their personal data, as well as any choices they may have regarding personal data.

Collection of Personal Data of Minors.

Medallia clients can use the Medallia Experience Cloud to gather feedback from individuals under 16. Such clients are responsible for complying with any applicable laws that require notice, disclosure or consent to individuals under 16. For more information, refer to the privacy notice or privacy-specific communications of the Medallia client.

Complaints.

You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the European Economic Area are available here. Contact details for the Federal Trade Commission are available here.

Website Notice

Effective Date May 30, 2018 - Last Reviewed and Updated May 30, 2018

Introduction

This notice addresses the data we collect through Medallia’s company websites, including www.medallia.com. Medallia uses this data for marketing purposes, including contacting prospective clients and understanding the ways users interact with our website.

Identity of the Data Controller

Medallia is the data controller for the marketing and website analytics data we collect. If you have additional questions about our practices as a data controller or if you would like to issue a complaint, you may contact us at [email protected] or by mail at the following addresses:

Marketing

What Data We Collect. Medallia collects data for its marketing efforts, including, information you voluntarily provide us, information we automatically collect from you, and information we obtain from third party sources (collectively, “Marketing Data”).

Information We Collect Voluntarily

Medallia collects information you submit through our website when signing up to receive information about our product, services, and industry, participating in our Operational Customer Experience Management Assessment (“OCEM Assessment”), or when registering for an event. The information you provide may include, for example, first and last name, email address, physical address, phone number, employer and employment title. We use this information to provide you with information that you might be interested in about our products, services and industry, share results related to your OCEM Assessment, and register you for events.

Information We Collect Automatically

In order to improve the Medallia website and understand how users are engaging with it, Medallia also collects information by using tracking technologies. This includes IP address, geolocation, time of website access, unique device ID, web browser and device information. For more information about our use of cookies and tracking technologies you may access our Cookies Notice by clicking here.

Information We Obtain from Third Party Sources

In some instances, Medallia engages with third party sources to obtain additional information about you. For example, Medallia collects business contact information from Medallia partners, industry event providers, or business intelligence providers. Information collected by business intelligence providers is publicly available and used by Medallia marketing and sales teams to determine your company’s interest in Medallia’s products and services. You may opt out of these communications at any time by clicking the “unsubscribe” link in the email correspondence or by accessing our Preference Center here.

How We Use Personal Data.

Marketing Outreach and Communication. Medallia uses Marketing Data to communicate with you for the purpose of providing you with information about Medallia products and services. We may also inform you about Medallia resources, news and updates, webinars, events, CEM certification courses, conferences, and information related to our blog. We provide this information to you via several channels, including, for example, direct mail and email communication, phone or SMS communication, event registration, onsite experience programs, ad targeting and retargeting efforts and website feedback surveys. Medallia also uses Marketing Data to understand the ways in which you access our website and to analyze trends related to usage. Medallia may analyze usage to evaluate our marketing effectiveness and retool portions of the site to provide a more convenient experience to you.

Website Feedback Survey and OCEM Assessment. We collect survey information from digital surveys embedded in our website. Medallia’s marketing team can access and use survey feedback you choose to provide to evaluate your impression of and interactions with our website, and improve your browsing experience. Our survey allows you to provide your name and email address should you be interested in signing up for an event with us, or indicate what brought you to our site, including, for example, recruitment opportunities or product demos. The survey also allows you to take a screenshot of portions of our website that you would like to provide feedback about. This survey collects analytics information such as your IP address and type of web browser or mobile device used in accessing our site. We also allow you to engage with our OCEM Assessment to assess your customer experience preparedness. Our marketing and sales teams collect OCEM Assessment responses to refine our communication with prospective customers. We also use this information to help customers further define their customer experience goals. You may provide additional information within the OCEM Assessment, including, for example, name, email address, employer and title. We use this information to contact you about your OCEM Assessment results and Medallia products and services.

Legal Basis for Processing. In all instances, Medallia processes Marketing Data only to the extent that it has a legal basis to do so. Generally, we rely on either a legitimate interest or consent to process Marketing Data. For more information about the legal basis for each of our processing activities contact [email protected]

Who Accesses Personal Data.

Medallia Marketing and Sales Professionals. Medallia marketing and sales teams in Medallia’s Group Companies can access Marketing Data for the purposes described above.

Third-Party Service Providers. Medallia may share
Marketing Data with third parties to (1) facilitate our communication with you; (2) providing analytics of Marketing Data and support Marketing operations; (3) assist with event registration; (4) tailor your advertisement experience. Service providers that are provided access to Marketing Data are evaluated by our vendor risk management program and agree to appropriate security and privacy safeguards when accessing or storing Marketing Data. Service providers are required to enter into data processing agreements with Medallia. The majority of service providers are located in the United States, with some providers located internationally.

Medallia also uses web analytics services, which include Google Analytics. Google Analytics is a web analytics service provided by Google Inc. (“Google”). Google Analytics uses cookies and similar technologies to analyze how users use our website. The information generated about usage (including your shortened IP address) is transmitted to Google. This information is used to evaluate visitors’ use of the Medallia website, compile statistical reports on Medallia website activity, and provide other services related to the Medallia website. Google may also collect information about our visitors’ use of other websites. You may opt out of Google Analytics or access additional information about the service by clicking here.

Security. We maintain a comprehensive security program with appropriate organizational and technical security practices measures to protect data we collect. For more details, visit https://www.medallia.com/security/.

Storage Period. Medallia maintains Marketing Data for the period of time necessary to carry out our legitimate business interests. For information about specific retention periods, please contact us at [email protected]

Data Subject Access Requests. If you are a resident of the EEA you have the following data protection rights:

If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us at [email protected].

You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.

If we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

You have the right to complain to a data protection authority about our collection and use of your personal information. Contact details for data protection authorities in the EEA are available here.

Opt Out and Preference Center. Medallia offers opt-out mechanisms for marketing communications. If you exercise your right to opt out of marketing communications, you will be added to Medallia’s opt-out list as required by applicable law. Medallia does not send marketing communications to any e-mail address on the applicable opt-out list. If you wish to withdraw your consent from receiving marketing communication, you may opt out from receiving marketing communications by accessing our Preference Center here or by clicking the “unsubscribe” link at the bottom of our communication with you. In the Preference Center, you may also tailor the type of information we provide you.

International Data Transfer and Adequacy Laws

Marketing Data is processed by Medallia Group Companies and third parties in countries that have data protection laws different from those applicable to the data subjects. To satisfy adequacy requirements related to this international data transfer (such as those in the EU):

Disclosure of Data for Legal Obligations. Medallia will provide data discussed in this notice to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend Medallia’s legal rights, or (iii) to protect the vital interests of our clients and their employees and respondents, or those of any other person. When requested by legal authorities to disclose personal information, Medallia will inform the court of various factors justifying confidentiality and respondent anonymity. Medallia will communicate with the affected client or individual as soon as possible, unless prohibited by law or court order.

Disclosure of Data for Merger, Acquisition or Sale. If Medallia is involved in a merger, acquisition or sale of all or a portion of its assets, Medallia may transfer data discussed in this notice to the buyer or new parent company. In this circumstance, the appropriate individuals will be notified about the change in ownership and use of their personal data, as well as any choices they may have regarding personal data.

Collection of Personal Data of Minors. Medallia’s website is directed to people who are at least 16 years of age or older. In the event that we have inadvertently collected data of an individual who is younger than 16, we will remove this data from our system within a reasonable time period. To make such a request, please contact [email protected]

Privacy Contact. If you have any questions or comments about this privacy notice or the practices of this site, or unresolved privacy and data use concerns, please contact Medallia by e-mailing [email protected], faxing (650) 321-3156, calling (650) 321-3000, or writing Attention: Privacy, Medallia, Inc.,575 Market Street Suite 1850, San Francisco, CA 94105. Medallia responds to non-frivolous privacy-related requests in a timely fashion, not to exceed ten (10) business days.

Recruitment Notice

Effective Date May 30, 2018 - Last Reviewed and Updated May 30, 2018

Introduction

This notice addresses the data we collect through during the Medallia job application process. Medallia uses this data for recruitment purposes, including contacting potential job candidates, enhancing the job application process, and assisting with the interview experience.

Recruitment

What Data We Collect. Medallia collects data for its recruitment efforts, including, information you voluntarily provide us and information that we obtain from third party sources (collectively, “Candidate Data”).

Information We Collect Voluntarily. When a candidate submits an application for employment, Medallia may collect personal information, such as personal data contained within a resume or curriculum vitae (including names, contact details, employment and education history), and, when applicable, Equal Employment Opportunity information that may be regarded as sensitive information in some countries (e.g., gender, ethnicity, disability status, veteran status).

Information We Obtain from Third Party Sources. In some instances, Medallia engages with third party sources to obtain additional information about you. For example, Medallia collects contact information from professional network intelligence companies or industry event providers. Information collected by professional network intelligence companies is publicly available and used by Medallia’s talent acquisition team to determine your company’s interest in employment with Medallia.

How We Use Personal Data.

Medallia uses Candidate Data to communicate with you for the purpose of providing you with information about Medallia career opportunities. Medallia also uses Candidate Data to process applications for employment, assist with the interview experience and, in some cases, supplement the employment onboarding process. Medallia may use aggregate Candidate Data to track its diversity and inclusion efforts to meet its applicable legal requirements.

Legal Basis for Processing. In all instances, Medallia processes Candidate Data only to the extent that it has a legal basis to do so. Generally, we rely on either a legitimate interest or consent to process Marketing Data. For more information about the legal basis for each of our processing activities contact [email protected]

Who Accesses Personal Data.

Medallia Teams. Medallia talent acquisition, human resources, and hiring teams in Medallia’s Group Companies can access Candidate Data for the purposes described above.

Third-Party Service Providers. Medallia may share your information with third parties to (1) facilitate the hiring process; (2) if applicable, conduct background checks; (3) host your data in a centralized location; (4) track diversity and inclusion efforts. Service providers that are provided access to Candidate Data are evaluated by our vendor risk management program and agree to appropriate security and privacy safeguards when accessing or storing our Candidate Data. Service providers are required to enter into data processing agreements with Medallia. The majority of our service providers are located in the United States, with some providers located internationally.

Security. We maintain a comprehensive security program with appropriate organizational and technical security practices measures to protect data we collect. For more details, visit https://www.medallia.com/security/.

Storage Period. Medallia maintains Candidate Data for the period of time necessary to carry out our legitimate business interests. For information about specific retention periods, please contact us at [email protected]

Data Subject Access Requests. If you are a resident of the EEA you have the following data protection rights:

If you wish to access, correct, update or request deletion of your Personal Information, you can do so at any time by contacting us at [email protected].

You can object to processing of your Personal Information, ask us to restrict processing of your Personal Information or request portability of your Personal Information.

If we have collected and process your Personal Information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.

You have the right to complain to a data protection authority about our collection and use of your Personal Information. Contact details for data protection authorities in the EEA are available here.

Opt Out. When you apply for a job with us, Medallia provides you with the opportunity to receive regular correspondence from us about career opportunities that we believe you might be interested in. From time to time, we may confirm that we may still contact you for these purposes. You may request to opt out from these email communications at any time. If you have any additional questions or concerns about this correspondence, please contact [email protected].

International Data Transfer and Adequacy Laws

Marketing Data is processed by Medallia Group Companies and third parties in countries that have data protection laws different from those applicable to the data subjects. To satisfy adequacy requirements related to this international data transfer (such as those in the EU), Medallia signs data processing agreements with our vendors and clients that have robust privacy and security terms, including, where appropriate, the Standard Contractual Clauses.

Disclosure of Data for Legal Obligations. Medallia will provide data discussed in this notice to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend Medallia’s legal rights, or (iii) to protect the vital interests of our clients and their employees and respondents, or those of any other person. When requested by legal authorities to disclose personal information, Medallia will inform the court of various factors justifying confidentiality and respondent anonymity. Medallia will communicate with the affected individual as soon as possible, unless prohibited by law or court order.

Disclosure of Data for Merger, Acquisition or Sale. If Medallia is involved in a merger, acquisition or sale of all or a portion of its assets, Medallia may transfer data discussed in this notice to the buyer or new parent company. In this circumstance, the appropriate individuals will be notified about the change in ownership and use of their personal data, as well as any choices they may have regarding personal data.

Collection of Personal Data of Minors. Medallia’s website and recruiting efforts are directed to people who are at least 16 years of age or older. In the event that we have inadvertently collected data of an individual who is younger than 16, we will remove this data from our system within a reasonable time period. To make such a request, please contact [email protected].

Privacy Contact. If you have any questions or comments about this privacy notice or the practices of this site, or unresolved privacy and data use concerns, please contact Medallia by e-mailing [email protected], faxing (650) 321-3156, calling (650) 321-3000, or writing Attention: Privacy, Medallia, Inc.,575 Market Street Suite 1850, San Francisco, CA 94105. Medallia responds to non-frivolous privacy-related requests in a timely fashion, not to exceed ten (10) business days.

Cookies Notice

EFFECTIVE DATE APRIL 30, 2019 - LAST REVIEWED AND UPDATED APRIL 30, 2019

Medallia uses cookies on our corporate websites and in the Medallia Experience Cloud.

In our cookies notice, we use the following terms:

“Medallia Experience Cloud” refers to the SaaS platform and provision of professional services we provide to our clients.

“respondent” refers to an individual who is prompted to provide feedback to one of Medallia’s clients through the Medallia Experience Cloud.

What is a Cookie?

A cookie is a text file which can be sent from a website and stored in a user’s web browser while a user is browsing that website. When the user browses the same website or another website that recognizes that cookie in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity.

Cookies fulfill many different tasks, as for example letting you navigate between pages efficiently or remembering your preferences. They can also help to ensure that online-advertisements are more relevant to you with regard to your interests.

Medallia Corporate Websites

Cookies are placed on the computer of a visitor to Medallia’s corporate websites. These cookies enhance the visitor’s experience on these websites, for example to complete forms, identify returning visitors and offer related content. Cookies are also used in combination with beacons, tags and scripts on our website by Medallia and its partners to facilitate our communication with site visitors, support marketing operations and targeted advertising, tailor a visitor’s advertisement experience, analyze trends, administer the site, or understand how visitors engage with Medallia’s corporate websites.

In order to improve services we offer you, to improve marketing, analytics, or site functionality, we may combine this automatically collected log information with Marketing Data.

Cookies, beacons, tags and scripts are used by Medallia and our partners (e.g., marketing partners), affiliates, or analytics or service providers on our website. These technologies are used by Medallia’s marketing team in facilitating our communication with site visitors, supporting marketing operations, tailoring a visitor’s advertisement experience, analyzing trends, administering the site, or tracking users’ movements around the site. We receive reports based on the use of these technologies by these companies.

Categories of Cookies and Management Settings

The following describes the categories of cookies Medallia uses on our corporate websites and your options for managing them:

Category

Description

Managing Settings

Required cookies

These cookies are essential for operating Medallia’s corporate websites. They assist in the display and navigation of the site, and provide security.

Because required cookies are essential to the operation of our corporate website, the ability to opt out of these cookies is limited. Management of these cookies may be enabled on your browser via individual browser settings.

Functional cookies

These cookies allow Medallia to remember the information you have entered or choices you have made when you visit our corporate websites, and are used to provide personalized features, such as remembering your preferences for displaying video content.

You can manage the placement of functional cookies on your browser via your individual browser settings. Opting out of functional cookies may impact the functionality of Medallia’s corporate websites and degrade your experience. You can visit http://www.aboutcookies.org for detailed guidance.

Performance and analytics cookies

These cookies record information about your visit to our corporate websites (such as which portions of the website you have visited and how fast pages have loaded). Medallia uses this information to improve how our corporate websites function.

You can manage the placement of these cookies the same as functional cookies. You can visit http://www.aboutcookies.org for detailed guidance.

Advertising cookies

Medallia uses cookies on our corporate website to show you relevant advertising outside of our site. Cookies may also be used to learn whether a visitor to our corporate website later saw an ad and took an action (e.g., downloaded a white paper) from our site.

Our partners may use a cookie to determine whether we’ve shown an ad to you outside of Medallia’s corporate website and how it performed, or provide us with information about how you interacted with ads. We may also work with partners to show you an ad off of our corporate website.

See the cookie table below for our corporate website to learn more about how to opt out of data collection by third party advertising networks.

Cookie Table

The cookie tables below list some of the cookies used on our corporate website, and opt-out information (if applicable).

Cookie Host

Type

Description and Opt-out Information (if applicable)

BIG IP

Required

Server and session management

CloudFlare

Required

Cache and security

Adobe TypeKit

Required

Website design features

Vimeo

Functionality

Integration of video content

Google Analytics, Hotjar, New Relic

Performance and analytics

Analyzes when sections of the Medallia website are visited, server performance monitoring

Cookies are placed on a respondent’s computer when they visit web-based surveys navigated to from an invitation sent by the Medallia Experience Cloud, when a respondent visits the domain of one of our clients that has enabled Medallia’s digital surveys, or when an employee of a Medallia client logs on to a reporting application. These cookies enable Medallia to remember a user’s preferences (such as language), ensure the security and integrity of client data, improve our products, and personalize a respondent’s survey experience. In addition, these cookies enable a Medallia client to identify a user across different browsers or devices that access a client’s web domain, record information about the browsing session on the domain, and to customize surveys presented to the user on that domain based on that information and additional rules.

The Medallia Experience Cloud does not place cookies on a user’s computer for advertising purposes.

Categories of Cookies and Management Settings

The following describes the categories of cookies used by the Medallia Experience Cloud and your options for managing them:

Category

Description

Managing Settings

Required cookies

These cookies are essential for operating the Medallia Experience Cloud. They assist in navigation of surveys and reporting applications, ensure the security and integrity of Medallia’s and its clients’ data, and provide access to restricted content.

Because required cookies are essential to the operation of the Medallia Experience Cloud, the ability to opt out of these cookies is limited. Management of these cookies may be enabled on your browser via individual browser settings.

Functional cookies

These cookies allow Medallia to remember a user’s information or choices, and provide personalized features (such as the choice of language in a survey).

You can manage the placement of functional cookies on your browser via your individual browser settings. Opting out of functional cookies may impact the functionality of Medallia’s surveys or reporting application and degrade your experience. You can visit http://www.aboutcookies.org for detailed guidance.

Performance and analytics cookies

These cookies record information about the use of a survey or reporting application (such as how fast a survey loads or which modules within a reporting application a user interacts with). Medallia uses this information to improve how the surveys and reporting applications function. Medallia’s clients also use information collected from these cookies to improve a respondent’s survey experience (such as causing a survey on their domain to be presented only when certain conditions are met).

You can manage the placement of these cookies the same as functional cookies. You can visit http://www.aboutcookies.org for detailed guidance.

Cookie Table

The cookie tables below list some of the cookies used by the Medallia Experience Cloud, and opt-out information (if applicable).

Records information about the visitor’s session on the Medallia client’s domain, such as the number of pages a respondent has visited in their session. Used for analytics and to customize frequency of survey presentation.

kampyle_userid

Medallia

Performance and analytics

Records a randomly generated user ID for analytics and to customize frequency of survey presentation.

kampyleUserPercentile

Medallia

Performance and analytics

Records a randomly generated number used to present a survey to a percentage of users. Used to customize frequency of survey presentation.

“Marketing Data” is defined in the Website Notice, which can be accessed from the navigation pane of www.medallia.com/privacy-policy;

“Medallia Experience Cloud” refers to the SaaS platform and provision of professional services we provide to our clients; and

“respondent” refers to an individual who is prompted to provide a response to one of Medallia’s clients through the Medallia Experience Cloud.

Medallia’s activity related to the CCPA

For the purposes of this notice, Medallia has two areas of activity that are related to the CCPA.

First, Medallia collects data from consumers in the course of providing a software platform called the Medallia Experience Cloud to its clients. In this activity, Medallia acts strictly as a “service provider” to our clients under the CCPA, and our clients are “businesses”.

In the Medallia Experience Cloud, Medallia collects customer data based on our clients’ instructions. For example, our clients specify what consumers we should contact to provide feedback, when we should contact them (e.g., after completing a purchase at a client’s retail store), how we should contact them (e.g., email or SMS), how often we should send them reminders to provide a response, and what questions are asked. Medallia’s clients also decide how to use or respond to feedback that is collected.

Second, Medallia collects data from consumers in the course of its marketing efforts. This includes information we collect voluntarily from forms on our website and event registrations, information we collect automatically when you visit our website, and information we obtain from third party sources. In this activity, Medallia acts as a “business” under the CCPA.

Medallia’s handling of personal information under the CCPA

Regardless of which area of activity applies to you, Medallia does not sell your personal information.

To be clear, in the previous 12 months we have not sold, rented, released, disclosed, disseminated, made available, transferred, or otherwise communicated a consumer’s personal information to another business or third party for monetary or other valuable consideration. If that changes, we will update this notice.

Further, when we provide the Medallia Experience Cloud to our clients, we do not:

process personal information for any commercial purpose other than providing our clients the products and services they have purchased; or

retain, use or disclose personal information outside of the scope of the agreements we have with our clients.

Personal information collected and disclosures for business purposes

The CCPA requires that we disclose the categories of personal information we collect about consumers, and the categories of personal information we disclose for a business purpose.

The chart below details where you find information about the categories of personal information that Medallia has collected in the previous 12 months for each activity related to the CCPA.

Activity

Where you can find information

Providing the Medallia Experience Cloud to Medallia clients as a “service provider”.

The categories of personal information Medallia collects about consumers vary depending on our clients’ implementation and use of our software.

For a generalized description of these categories, see the section of the Medallia Experience Cloud Privacy Notice titled “What Data We Collect and How We Collect It”. This notice can be accessed from the navigation pane of www.medallia.com/privacy-policy.

For more information on the types of data collected by a particular Medallia client, refer to the privacy notice or communications of the Medallia client.

Our clients’ privacy notices are commonly located in the Medallia survey invitation (for web-based surveys) or on the client’s web site or mobile application (for digital surveys).

Carrying out Medallia’s marketing efforts as a “business”.

See the section of our Website Privacy Notice titled “What Data We Collect”.

The chart below details where you can find information about the categories of information we disclose for a business purpose in the previous 12 months.

Activity

Where you can find information

Providing the Medallia Experience Cloud to Medallia clients as a “service provider”.

The categories of personal information Medallia discloses for a business purpose vary depending on the features of our software our clients use, and the servicing and support they have purchased.

For a generalized description of these disclosures, see the section of the Medallia Experience Cloud Privacy Notice titled “Who Accesses Personal Data”. This notice can be accessed from the navigation pane of www.medallia.com/privacy-policy.

For more information on the disclosures made a particular Medallia client, refer to the privacy notice or communications of the Medallia client.

Our clients’ privacy notices are commonly located in the Medallia survey invitation (for web-based surveys) or on the client’s web site or mobile application (for digital surveys).

Your rights under the CCPA include the right to request a copy of the specific personal information collected about you in the 12 months prior to the request, and a business’s data collection practices (including categories of information collected, how information is used, and who it is disclosed to). We will generally refer to these as “access requests”.

In addition, with some exceptions, you can request deletion of the personal information that is collected about you. We will generally refer to these as “deletion requests”.

With respect to personal data of consumers collected in the Medallia Experience Cloud, Medallia’s clients are responsible for fulfilling access and deletion requests. Medallia supports these requests by offering our clients product features, processes and assistance in exporting personal information about individuals. These product features and processes complete the data deletion within 30 days of receiving the request from our client.

With respect to the personal data of consumers collected in Medallia’s marketing efforts, we are responsible for fulfilling access and deletion requests.

The chart below details how you can exercise your rights under the CCPA.

Activity

How to exercise your access and deletion rights

Providing the Medallia Experience Cloud to Medallia clients as a “service provider”.

Please contact the Medallia client identified in the communication you received.

Contact information is commonly located within the communication or in a privacy policy linked from the communication.

In the request, please be as specific as possible in relation to the personal information you wish to access or delete. Once we receive the request, we will review it, and process the request accordingly. If we need additional information to verify your identity, we will let you know.

Any identifying information in such requests will be used solely for verification, and to communicate with you. We will respond to the request within 45 days of receipt, or notify you if you require additional time.